Trust & security
LedgerSignal handles sensitive insolvency financial records. We take the security of your data seriously and build our platform with protection at every layer.
Last updated: 6 March 2026
- All data encrypted at rest (AES-256) and in transit (TLS 1.2+)
- AI providers (OpenAI, Google Gemini) do not store or train on your data
- Authentication powered by Clerk (SOC 2 Type II) with multi-factor authentication support
- Infrastructure hosted on AWS (US-East) via Vercel, Neon, and Upstash — all SOC 2 Type II certified
- You can delete your case data at any time
- Privacy policy aligned with the Australian Privacy Act 1988 and APPs
- We are pre-SOC 2 and building toward formal certification
Data protection
- Encryption at rest — AES-256 encryption via Neon PostgreSQL and Vercel Blob storage
- Encryption in transit — TLS 1.2+ on all connections
- Document storage — uploaded files stored in encrypted blob storage with token-based access controls
- Database backups — daily backups with point-in-time recovery via Neon (encrypted at rest)
- No training on your data — neither OpenAI nor Google use your data to train AI models (both have explicit API data usage policies)
Data residency
LedgerSignal's infrastructure is hosted in the United States (AWS US-East region) via our subprocessors Vercel, Neon, and Upstash. All data processing occurs within this region. We currently do not offer Australian-hosted data residency, but this is on our roadmap as we grow.
AI & data processing
We use large language models for document analysis only — classifying bank statement transactions and extracting structured data. All AI processing happens via API calls: your data is sent, processed, and returned in real time. It is not stored by the AI provider and is not used for model training.
- OpenAI — SOC 2 Type II, ISO 27001
- Google Gemini — ISO 27001, ISO 42001
What happens when you upload a document: your file is stored in encrypted blob storage, then sent to an LLM via API to extract transaction data. The extracted data is saved to your database. The AI provider does not retain your document or the extracted data.
Infrastructure
- Hosting — Vercel (SOC 2 Type II, ISO 27001, PCI DSS)
- Database — Neon PostgreSQL (SOC 2 Type II, ISO 27001, HIPAA)
- File storage — Vercel Blob (AES-256 encryption at rest)
- Background jobs — Upstash (SOC 2 Type II, TLS mandatory)
- All infrastructure runs on AWS (US-East region) with geographic redundancy
Authentication & access control
- Powered by Clerk (SOC 2 Type II certified)
- Multi-factor authentication supported via Clerk
- Session management with automatic expiry via Clerk
- Organisation-level access control — each organisation's data is isolated
- Bot detection and brute-force protection via Clerk
Data lifecycle
- Deletion on demand — you can delete individual cases, uploaded documents, and extracted data at any time from within the application
- Account closure — when you close your account, we delete all your data within 30 days
- Data export — you can export your transaction data as CSV at any time
- Retention — we retain your data only while your account is active
Subprocessors
| Service | Purpose | Certifications |
|---|---|---|
| Neon | Database | SOC 2 IIISO 27001HIPAA |
| Clerk | Authentication | SOC 2 IIHIPAA |
| Vercel | Hosting & file storage | SOC 2 IIISO 27001PCI DSS |
| Upstash | Background jobs & caching | SOC 2 II |
| OpenAI | Document analysis (LLM) | SOC 2 IIISO 27001 |
| Google (Gemini) | Document analysis (LLM) | ISO 27001ISO 42001 |
| Resend | Email notifications | SOC 2 II |
| PostHog | Product analytics | SOC 2 IIHIPAA |
| Intercom | Customer support | SOC 2 IIISO 27001ISO 42001 |
Frequently asked questions
Where is my data stored?
All data is stored in the US-East region on AWS, managed by our subprocessors Vercel (hosting and file storage), Neon (database), and Upstash (background jobs). We do not currently offer data residency in Australia.
Who can access my data?
Only authenticated members of your organisation can access your data. Each organisation's data is isolated at the database level. LedgerSignal staff may access data for support purposes only, with your permission.
Does AI see my documents?
Yes, but only for processing. When you upload a bank statement, it is sent to an AI provider (OpenAI or Google Gemini) via API to extract transaction data. The provider processes it in real time and does not store or train on your data. Both providers have explicit data usage policies confirming this.
What happens if I cancel?
You can export your data as CSV before closing your account. Once your account is closed, all data is permanently deleted within 30 days.
Are you compliant with the Australian Privacy Act?
Yes. Our privacy policy is aligned with the Privacy Act 1988 (Cth) and the 13 Australian Privacy Principles (APPs), including cross-border disclosure requirements for our US-based subprocessors.
Do you have SOC 2 certification?
Not yet. We are an early-stage company and SOC 2 Type II is on our roadmap. In the meantime, all of our infrastructure subprocessors are SOC 2 Type II certified, and we are happy to complete your security questionnaire.
Can you sign a DPA or NDA?
Yes. Our data processing agreement is published and applies to all customers. We are also happy to sign NDAs or confidentiality agreements — email john@ledgersignal.com and we will send these through promptly.